Cisco CCNA ICND2 640-816

Switch VLANs: Configuring VLANs and VTP, Part 2

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

00:00:00 - Welcome to configuring VLANs and VTP Part 2.
00:00:05 - I plan on picking up right where we have left off where we have the switches
00:00:07 - added to the network, trunks configured, VTP is running, VLANs
00:00:11 - are replicating. Now, let's move into some of the VLAN architectural
00:00:14 - design, and I have added one more topic that I'd like to talk about
00:00:18 - in this video because it ties right in, and that is configuring routing
00:00:21 - between VLANs once we have the VLANs set up and configured.
00:00:26 - So I have enhanced our network diagram from the previous video,
00:00:29 - and I went ahead and notated where the trunks were because those are
00:00:32 - now hard coded in the network. All the other ports are considered
00:00:35 - access ports. You'll notice down here, I mentioned the VLANs that are in
00:00:39 - use, those are the ones that we created in the last video.
00:00:42 - One is the default VLAN and at this point everything
00:00:46 - is assigned to the default VLAN, everything is in VLAN 1.
00:00:49 - Down here, I have the sales VLAN, marketing
00:00:52 - VLAN, and engineering VLAN that is replicated between switch
00:00:55 - 1, 2 and 3, all on this network.
00:00:59 - Now as of right now, those are there and the switches have
00:01:01 - them, but they're not doing anything. So one of the last steps
00:01:06 - that we have to take is to assigning the ports to the VLAN.
00:01:09 - Now, before I do that I want to do a little test. I want to
00:01:12 - bring up a command prompt here. Let me just, I'll
00:01:15 - do a start, run, CMD. Got my command prompt up. Now, this computer
00:01:21 - right here is the 192.168.1.50.
00:01:25 - You can see I have the ethernet adapter lab. This is the IP address
00:01:29 - that I am using. It is, the, the computer I'm showing you right
00:01:31 - now is this guy right here, 1.50. So as of right now that
00:01:36 - PC is able to ping this PC, and well anything else in the network.
00:01:40 - Let me just verify that.
00:01:44 - I will do a ping 192.168.1.20. That's the
00:01:47 - other PC. Sure enough, I am able to ping. That's, that's reaching
00:01:50 - from here to here. Let's just do a couple more test pings.
00:01:54 - I'm going to ping from here to 192.168.1.2.
00:02:00 - Sure enough that is successful. And one more, I'm just going
00:02:03 - to do to 192.168.1.1, right
00:02:07 - up here.
00:02:10 - Okay, good. That is all verified working because every port
00:02:14 - is assigned to the same VLAN. So let's think about network
00:02:18 - architecture here. As soon as I type in ping 192.168.1.20,
00:02:21 - this sends out an ARP broadcast, right, to the entire
00:02:26 - VLAN saying, hello, who is 192.168.1.20?
00:02:30 - This computer receives the broadcast, responds and says, that's me, here's
00:02:33 - my MAC address, and now that PC comes over and pings the device
00:02:37 - and is able to reach that device. So we're good. We are verified
00:02:41 - working between our connections. Now, let's move down to step
00:02:45 - number 4 here, assigning ports to the VLAN. This switch is attached
00:02:49 - or sorry, this is PC is attached to switch number 3 on Fast Ethernet
00:02:53 - 0/A. So I want to jump over there.
00:02:58 - Go to switch 3. I will do a show VLAN, and I can see
00:03:03 - that this one still does have the
00:03:06 - three VLANs we created; sales, marketing and engineering. However,
00:03:09 - everything is assigned to Fast Ethernet 0/8 or sorry,
00:03:12 - to VLAN 1, including fast ethernet 0/8. I will do a show run
00:03:16 - interface fa0/8, and I can see this is set up to switch
00:03:20 - port mode access. It's an access port that is a non-trunking
00:03:25 - device. So, what I'm going to do is assign that. Let's move
00:03:29 - that PC, the one I was just pinging from, into the sales VLAN.
00:03:34 - The way we do that is get into global config mode, into interface Fast
00:03:38 - Ethernet 0/8. I'm going to type in,
00:03:42 - well we've already, usually I'll type in switch port
00:03:45 - mode access, but we've already got that in there so that's
00:03:49 - okay. So I'll type in switch port access. Since this is an access port, it is going to
00:03:54 - access and then I just type in VLAN and what number of VLAN I would
00:03:58 - like it to access. So I could say the VLAN 10, enter. Now at that
00:04:03 - point, I have now moved this PC
00:04:08 - into a new VLAN and we're going to be building this network diagram
00:04:10 - as we go. It's going to stay there. We have this PC that is now
00:04:14 - in VLAN 10. Everything else is in VLAN 1. Now at this
00:04:18 - point, I'm going to just bring that command prompt right back up again,
00:04:22 - the one I was doing all those test pings from. Let's see if
00:04:25 - I can ping 192.168.1.20.
00:04:28 - Again, the PC right next to it.
00:04:32 - Nothing. Let's see, destination host is unreachable, not going to
00:04:37 - happen. Timed out. Not, you know, the, the ping is failing.
00:04:41 - Let's hit the up arrow and try pinging 1.1.
00:04:43 - Nothing. Control-C, 1.2, nothing. I can tell you, nothing
00:04:49 - is going to work because we have segmented this into a separate VLAN.
00:04:53 - And remember when we do that, a VLAN equals a subnet
00:04:56 - equals a broadcast domain. That PC even thought it's plugged into the same switch
00:05:01 - is completely isolated from the network, okay.
00:05:06 - Now, what I'm going to do just, just to prove this, as of right now,
00:05:10 - I'll jump back here, do that test ping to 1.20 one more time.
00:05:14 - We can see it's failing because that PC is in a separate VLAN.
00:05:17 - So when they ARP broadcasts, remember it's a broadcast that goes out,
00:05:20 - it goes to everything in VLAN 10, which is just this PC.
00:05:23 - So it goes nowhere. Nobody receives the ARP message. Now, what if
00:05:27 - we add this PC
00:05:33 - into VLAN 10 as well? Well, let's check it out and see
00:05:39 - what happens. I'm going jump over to my
00:05:43 - Tera Term connection here, Control-Shift-6 X back to my access server switch 2.
00:05:47 - Now, that PC, the 1.20 is plugged into
00:05:52 - Fast Ethernet 0/8 on switch 2 as well. Now, that one I
00:05:56 - have a remote connection to. I'm sitting on 1.50. The
00:05:59 - PC at 1.20 is remotely controlled so I'll bring
00:06:02 - up that prompt. That's the remote session with the 1.20.
00:06:06 - I will do an IP config just to verify. There it is, 192.168.1.20.
00:06:09 - I am gonna ping. Let's do 192.168.1.1.
00:06:13 - Good because we're still on the,
00:06:17 - the VLAN 1 on this PC. 1.2, good, life is peachy. Now, I am going
00:06:21 - to hit the up arrow and ping 1.50, verified dead
00:06:25 - because that is the PC that is in a separate VLAN. So let's
00:06:28 - do this, I'm going to minimize this guy down, bring up my
00:06:33 - switch 2, go into interface, oh, let me do a show VLAN just to
00:06:38 - verify. We've got the sales VLAN here as well. I'm going to go into
00:06:42 - interface Fast Ethernet 0/8 and do switch port
00:06:48 - access VLAN 10. Done. What that has done is now moved this
00:06:55 - computer into the same VLAN as this PC. Now, remember these
00:06:59 - are trunk ports, so if this one sends an ARP broadcast saying,
00:07:03 - hey, who is this certain IP address?; that will cross the trunk with a
00:07:06 - 802.1q tag saying, I'm a part of VLAN 10. Hits this, travels
00:07:11 - down this trunk, and will come out to every port that is in
00:07:13 - VLAN 10, which should be this one and it should receive that ARP
00:07:17 - broadcast. So now that I've transitioned that over to
00:07:21 - VLAN 10,
00:07:23 - I will bring up that remote session again. I will hit the up arrow, you can see
00:07:26 - before it was failing on the ping to 1.50. Hit the
00:07:29 - up arrow, do it again, and now we are successful. We can see that
00:07:33 - those, those two PCs are now able to reach each other, but
00:07:36 - look at what happened. As soon as I try and ping 1.2,
00:07:40 - dead now. Control-C, 1.1, dead. I think I've proven my
00:07:45 - point that when you segment into separate VLANs, you are really segmenting
00:07:49 - networks. Those are now on a completely separate network. So
00:07:56 - remember I have said, a VLAN equals a subnet equals a broadcast domain.
00:08:00 - What I want to do is come up with a scheme to make routing
00:08:06 - possible. The first thing I want to do is I want to transition this
00:08:09 - guy over to VLAN 20 just because it would be good to have
00:08:14 - a couple of VLANs going. We can set up routing between
00:08:17 - all of them to allow VLANs to reach each other. So let me
00:08:20 - bring up my prompt. Just hit the up arrow. We're still on that same switch,
00:08:24 - and I'll just say, you are in VLAN 20.
00:08:27 - Do a show VLAN and I can see there's my Fast Ethernet 0/8
00:08:31 - segmented into VLAN 20. So with that in place, we've got
00:08:35 - these two computers that are totally isolated from the rest. They can't ping
00:08:39 - each other. They can't ping anything in VLAN 1 up here.
00:08:43 - So we are dead in the water. Now, what we need to do any
00:08:46 - time we create VLANs is do some subnetting. The most common
00:08:50 - thing I see, and I think it's a great idea,
00:08:54 - is to create subnets that match VLANs number,
00:08:58 - VLAN numbers. Let me, let me talk, show you what I'm talking about. I have got VLAN 1
00:09:02 - right now and VLAN 1 is 192.168.1.0.
00:09:07 - I'll type all this up as we perfect our
00:09:12 - network diagram so it looks prettier. So that's VLAN 1. I have got VLAN 10
00:09:15 - which is currently, you know, assigned the IP address, 192.168.1
00:09:22 - but you can't have that. Every VLAN needs
00:09:25 - to be a subnet, so we will have this one be
00:09:28 - 192.168.10.0/24. That's what
00:09:33 - I mean when I'm talking about VLAN numbers equaling the subnet
00:09:37 - numbers. I kind of like, like the idea of using a
00:09:40 - 10 in the address so I can quickly relate VLAN 10 to that.
00:09:44 - VLAN 20;
00:09:47 - we'll make 192.168.20.0/24, okay.
00:09:52 - So we've got this new subnetting
00:09:57 - scheme that we've got in place. I'll need to go in and change all the
00:09:59 - IP addresses. I might as well do that here. At this point, you
00:10:04 - probably know how to change IP addresses. Okay, you know how to
00:10:07 - change IP addresses, but I'll do it here just because I've got
00:10:11 - the recording going. This is Windows Vista. So maybe in Windows
00:10:14 - Vista you haven't changed IP addresses. The manage network connections
00:10:18 - because right now I've got my wireless and local. I'll go to the properties for the
00:10:24 - local. Now, this one is going to move to VLAN 20. So we'll say this is
00:10:29 - 192.168.20.20. Now, just
00:10:33 - change them over to a different subnet. Now, I haven't set up a
00:10:36 - default gateway yet, but if I do, I'm gonna make it 20.1
00:10:39 - that it, it's able to use. Click OK, okay on there and we've got
00:10:43 - that IP address changed. I will change the IP address on my computer later
00:10:46 - because there's some tricks I need to do on that because
00:10:48 - that's what I'm recording on so it will kind of hold up my recording
00:10:51 - if I do that. So this one is now going to be changed over to 20.20.
00:10:55 - And when we are setting up routing between VLANs
00:10:59 - we really have three separate options.
00:11:03 - Those three options are, number one; using a separate port
00:11:07 - to each VLAN, two, a router-on-a-stick. That is its technical
00:11:12 - name, not a, it's like a corn dog router. It's, that's, I'm not making
00:11:16 - that up. You can Google that and you'll find router-on-a-stick
00:11:18 - configurations. And third is layer 3 switching. Now, at the
00:11:23 - CCNA level, before I describe each one of these, you are expected
00:11:27 - to do one and two from this list. The CCNP will actually
00:11:33 - move into layer 3 switching. But I'm telling you, layer 3
00:11:37 - switching is so easy. I think I am gonna show it to you in this video. So first off, separate
00:11:42 - port to each VLAN. Now, you can see that we've got a little
00:11:46 - example here. We've got two VLANs, VLAN 50 and 51.
00:11:48 - This computer up here will say 1.50 is assigned
00:11:53 - to VLAN 50, and this computer right here, 2.50, is
00:11:57 - assigned to VLAN 51.
00:11:59 - Now, we could go to our router and plug it in to a switch, put one
00:12:05 - port into VLAN 50 and, you know, assign that port to VLAN 50
00:12:08 - right here on the switch. Put the other port into VLAN 51,
00:12:11 - and assign that port to that respective VLAN. Configure
00:12:15 - these with respective IP addresses from each subnet. For instance,
00:12:19 - 1.1 is from the subnet we're using here for the
00:12:22 - 1.50 and 2.1 is from this subnet we're
00:12:25 - using here for 2.50. So what we would do is set
00:12:29 - the default gateway on this PC to that IP address that, you know,
00:12:35 - within its VLAN. The default gateway in here would be this IP address.
00:12:39 - So if 192.168.1.50 pinged 2.50, it would actually
00:12:43 - go out of the switch, reach the router on Fast Ethernet 0/0,
00:12:47 - the router would to look at it and say, oh, well, you're going
00:12:50 - out this interface, into the same switch on VLAN 51
00:12:53 - and come out and ping this device. Now, the problem with doing
00:12:58 - a separate port to each VLAN is it's just not practical
00:13:02 - nor is it scalable. Meaning the more VLANs you add, it is not
00:13:06 - uncommon in, in companies to have 50, 60 different VLANs.
00:13:11 - I mean there's just not a router that exists that has 50
00:13:14 - or 60 different Fast Ethernet ports, and if it did, it would just
00:13:17 - be insanely expensive. So what, you know, it's, it's first off not
00:13:22 - really practical interface wise. It's just ugly wiring wise
00:13:25 - because you're wasting a switch port for every single router
00:13:29 - connection that you need to have and so on. So it works, it's doable
00:13:33 - but not practical. That's why CISCO came out with a router-on-a-stick.
00:13:37 - That's, that's the name. What it does is configure a trunk
00:13:43 - connection to the router. Now, remember a trunk connection forwards
00:13:47 - all VLAN traffic. So when this computer wants to reach
00:13:51 - its default gateway, you know, 1.1, it will come out across
00:13:54 - the trunk. When this one wants to reach its default gateway, it will come
00:13:58 - out the trunk as well. Now, there are some configuration thoughts
00:14:02 - that have to go into this as in, you know, what IP address are you going to
00:14:05 - give that interface and how are you going to set that all
00:14:07 - up. But that, I've got a separate slide just for that. So I'm going to
00:14:10 - save that discussion till then. The last kind of method that
00:14:15 - we can use to route between VLANs is a layer 3 switch.
00:14:20 - What this is is a router inside of a switch. You'll,
00:14:24 - you'll hear this term slung around all over the place, layer 3
00:14:27 - switching, layer 3 switching. A lot of people say multilayer
00:14:29 - switching. It is a router inside of the switch. It's, it's like
00:14:33 - this concept, I wish I could animate this and imagine me putting
00:14:36 - my hand right here and just going err-ugh and smooshing that
00:14:40 - router into the switch because that's exactly what a layer
00:14:43 - 3 switch is, a router inside of a switch. Instead of
00:14:47 - having an outside router,
00:14:50 - we create VLAN interfaces on that layer 3 switch
00:14:56 - that is reachable by everything inside of that VLAN. So
00:15:01 - for example, if this, this computer right here is assigned to VLAN 51
00:15:05 - and I chose 192.168.2.0 as the
00:15:08 - subnet for VLAN 51, well I could create a virtual interface
00:15:13 - on this switch called interface VLAN 51 and give it an
00:15:17 - IP address which is immediately reachable by this PC and
00:15:21 - it can come into that switch just like it would be, you know,
00:15:23 - coming into this router right here or coming into this router right
00:15:26 - here and say, I would like to reach, you know, this other PC? And the
00:15:30 - switch would say, great, let me just switch over here to the separate VLAN, and now
00:15:33 - you're able to reach that separate subnet. You know, while we're
00:15:36 - here, I'm, I'm really going to spend a lot of time on the router-on-a-stick
00:15:39 - configuration because that's what the CCNA exam
00:15:42 - expects you to do, and you'll see a lot in, in lab environments and, and even
00:15:47 - in the real world. So let me show you the layer 3 switching
00:15:51 - right now. I'm going to, this is kind of on the fly so
00:15:55 - forgive me if it completely blows up. I'm going to bring out our network diagram
00:15:59 - back over. This switch right here is a layer 3 switch. And just
00:16:04 - to give you a general idea, these are layer 2 switches.
00:16:08 - They don't have layer 3 capabilities. So layer 2 switch, general
00:16:12 - price of about, you know, approximately,
00:16:16 - we'll say 400 bucks for a brand new 24-port
00:16:20 - layer 2 managed switch. Now, that is a pretty decent price. Layer
00:16:24 - 3 switch, for the same amount of port, same speed, 100 meg per second,
00:16:26 - layer 3 switch is probably at about
00:16:31 - 2,400 bucks, they're the same bucks. It costs that much
00:16:35 - more because it's a huge software upgrade that allows your switch
00:16:39 - to do routing capabilities. So
00:16:43 - switch number 1 is a layer 3 switch. So let me show you
00:16:46 - how you would set one up. I'm going to grab my configuration window.
00:16:49 - Like I said, it's kind of on the fly. So as of right now,
00:16:56 - let's see. Is this going to work? Yeah, we'll see, hmm. Down here I have
00:17:02 - VLAN 20, right, which I went at and re-assigned this, this
00:17:06 - PC in that VLAN. 192.168.20.20
00:17:09 - is its IP address. Now, as of right now that's totally isolated
00:17:13 - from the rest of the network because everything is assigned to
00:17:15 - VLAN 1, which is 192.168.1.0.
00:17:19 - Well, if I was configuring a layer 3 switch, what I could do
00:17:23 - is go up to switch 1, let me do that right now,
00:17:27 - and I am going to do a show IP interface brief. Now, you can see it has
00:17:32 - one interface in VLAN 1, 192.168.1.10.
00:17:35 - That's its IP address we're using to telnet to
00:17:38 - it and so on. But watch what I am gonna do.
00:17:42 - I am going into interface VLAN 20. Now, remember when
00:17:47 - we created VLANs, right, in the previous video, we didn't type interface
00:17:52 - VLAN 20, we just typed in VLAN 20. That creates a
00:17:54 - VLAN. Interface VLAN 20 creates a new layer 3 interface
00:18:00 - for that VLAN. Let me move on with this configuration, and then
00:18:03 - I will explain how it works. I'm going to give this, the IP address,
00:18:07 - 192.168.20.1.
00:18:11 - 255.255.255.0, okay.
00:18:15 - Now, I am gonna do a show, show IP interface brief now that I have done that and
00:18:20 - notice we have got a switch with two VLAN interfaces, VLAN 1 and VLAN 20.
00:18:26 - Now, there's one more command I need to do on a,
00:18:29 - on a switch. This is the layer 3 command,
00:18:34 - IP routing. What that does is that it says, turn on the routing
00:18:38 - capabilities of the switch. It is like a big light switch inside of
00:18:41 - that switch that just went click and it's now able to run routing
00:18:44 - capabilities. So remember this, this PC that wasn't able to reach
00:18:49 - anything before? Let me go back to it. Where is it at? Right here. I'm going to
00:18:54 - bring up a command prompt on that PC.
00:18:59 - It's kind of out of your window, but I'll bring it up right here.
00:19:02 - Do an ipconfig and I can see I have got 192.168.20.20
00:19:06 - is the IP address. Notice the default gateway,
00:19:09 - 20.1. It's the same IP address I gave the layer 3 switch.
00:19:14 - Let me ping it. Hmm, oh, just like, now like I said, this was on the fly.
00:19:24 - But there it is. It just takes a second to respond the first time.
00:19:27 - There we go. We've got the, the ping coming back successfully. So
00:19:31 - 20.1 is responding. Now, who is 20.1? Check it out.
00:19:34 - I am going to type in telnet 192.168.20.1.
00:19:37 - Forgive the characters kind of glitching. This is
00:19:39 - a remote session so it's with the remote PC so it is a little glitchy
00:19:44 - on the graphics. So I telnet over and check out, oh, man.
00:19:48 - Look at where I am, I am on switch 1. Switch 1 is now responding
00:19:52 - to that IP address that I just gave it. So here's the big
00:19:55 - picture. This switch has an IP address in each VLAN.
00:20:00 - 192.168.1.10 is in VLAN 1.
00:20:04 - It also has 192.168.2.1/24
00:20:09 - that is in VLAN 20. Since it's
00:20:13 - a router inside, I can actually go from this PC into the
00:20:19 - switch as my default gateway. The switch gets it on its layer 3
00:20:24 - routed interface and says, well let me route you over to
00:20:26 - VLAN 1. Check it out. I'm going to jump back over to, so where was I?
00:20:31 - This remote session with the PC. I am gonna ping 192.168.20.1,
00:20:35 - again my default gateway.
00:20:38 - Now, let me ping 192.168.1.10.
00:20:43 - No, yes, yes, no. Dah! Failure.
00:20:53 - No, I'm just, it fell apart. I just, I, I thought of something as soon as, as soon as I
00:20:58 - put this together. The problem as of right now is that
00:21:04 - all of these other devices in VLAN 1 don't know that this
00:21:08 - 192.168.20.x subnet exists.
00:21:12 - Meaning I haven't turned on a routing protocol that's advertising
00:21:15 - that to some, everybody else. So if I were to actually do a trace
00:21:18 - route and follow packets, I would be able to see that the
00:21:21 - packets can reach devices in VLAN 1, but because I haven't set
00:21:25 - up true routing to where they know that the 20.x
00:21:29 - subnet exists, that should be 20.1,
00:21:33 - the 20.x subnet exists, they, they don't know
00:21:36 - where to send it back. So the, the, the end to end ping isn't gonna work
00:21:41 - but the concept is still good. I am telling you, this is great. This is,
00:21:44 - it's great stuff. That is how you can configure a layer 3
00:21:48 - switch, which is just adding VLAN interfaces to the
00:21:52 - switch and it's then able to route between them just like, just
00:21:55 - like this except it's all inside of the switch.
00:21:59 - Alright, now that I've shown you how a layer 3 switch works,
00:22:02 - let's talk about how we do it at the CCNA level. Understanding a
00:22:05 - router-on-a-stick. This is a viable method to route between
00:22:10 - VLANs that actually works quite well, and I'll tell you why.
00:22:13 - First, it looks very inefficient, but it actually works very
00:22:16 - well. The
00:22:19 - devices that are plugged into the separate VLANs, we have
00:22:22 - VLAN 50 up here, VLAN 51, and just for the sake of argument,
00:22:26 - VLAN 50 is 192.168.1.0/24
00:22:30 - and VLAN 51 is 192.168.2.0/24.
00:22:34 - So those are the
00:22:38 - subnets that are assigned. These PCs are placed in those VLANs.
00:22:41 - A router-on-a-stick will enable a trunk link between the
00:22:47 - router and the switch, meaning all VLAN traffic is being
00:22:51 - sent. But the problem is, remember I said a VLAN equals
00:22:55 - a subnet. So if a VLAN equals a subnet, what IP address do
00:22:59 - you give the router's interface? The answer is none. The physical
00:23:05 - interface itself does not get a
00:23:10 - IP address. We create sub-interfaces of that interface.
00:23:14 - Now, this is a brand new concept to this track. Sub-interfaces
00:23:19 - allow you to take one interface and break it into many. As a matter
00:23:22 - of fact, let's jump back to our network diagram here,
00:23:26 - which is getting a little messy. I have to clean it up. This router right here, router 2,
00:23:31 - I plan on being a router-on-a-stick. The one requirement that
00:23:35 - you need to have for a router-on-a-stick is it has to be a fast
00:23:39 - ethernet interface or greater. That's why I'm not using router
00:23:42 - 1 is that is a 10 meg interface, just ethernet. That is not allowed
00:23:46 - to do a router-on-a-stick because it needs more bandwidth. There's a lot
00:23:49 - of traffic that will be coming in and out. So with this
00:23:53 - router-on-a-stick concept, we can split that one interface on router 2
00:23:57 - into multiple sub-interfaces that allow router 2 to receive
00:24:01 - packets on one sub-interface and route them right back around
00:24:04 - on another. So let me bring up the configuration window.
00:24:10 - Now, I'm going to open a session to router 2. Oops, I've got my switches open
00:24:15 - right now.
00:24:20 - Ignore that. That's a issue with my access server. So I am going to get into
00:24:24 - router 2, do a show IP interface brief. Now as of right now
00:24:29 - it has an IP address on Fast Ethernet 0/0 which
00:24:32 - is 192.168.1.2.
00:24:36 - That is, that is the known IP address that we've been using on VLAN 1. What I'm
00:24:39 - going to do is step it up a notch and start creating sub-interfaces.
00:24:44 - I'm going to type in interface Fast Ethernet 0/0.,
00:24:50 - and I'm going to hit a question mark.
00:24:52 - Hoo Nelly, look at that, up to 4 billion 294 million
00:24:57 - 670 or 900, a big number, a huge number
00:25:02 - of sub-interfaces. Now, if you actually try to create that many,
00:25:05 - I'm sure your router would eventually run out of memory. The
00:25:09 - point of giving you such a big range is allowing you
00:25:11 - to pick whatever interface number that you want.
00:25:14 - Let, let me jump back to our network diagram here. As a matter of fact, hang on one second.
00:25:19 - I've got a network diagram that I have already pretty done for just what we're
00:25:21 - about to do. I have router 2's Fast, Fast Ethernet 0/0
00:25:26 - that still communicates with VLAN 1. You
00:25:29 - can mentally think VLAN 1 right there. But I'm gonna create
00:25:33 - two sub-interfaces, Fast Ethernet 0/0.10, which will communicate
00:25:38 - with VLAN 10, and Fast Ethernet 0/0.20, which will
00:25:42 - communicate with VLAN 20. Now, I'm going to need to
00:25:45 - configure a trunk port that moves from Fast Ethernet 0/4
00:25:50 - on switch 3 to router 2 in order for this to happen because
00:25:55 - otherwise it's not gonna to send VLAN 10 and 20 traffic
00:25:58 - down to router 2. But before I configure the trunk port, let me get
00:26:01 - router 2 set up the rest of the way. We've got
00:26:06 - right at the, the sub-interface part, so I can type in sub-interface
00:26:10 - Fast Ethernet 0/0.20. As soon as I do that, notice it takes
00:26:14 - me into this subif configuration mode where it's just magically
00:26:19 - created a brand new interface for me. I'll give it the IP address
00:26:22 - 192.168.20.1
00:26:27 - and hit enter. Oh, I can't type these commands out of order. It says, configuring
00:26:33 - IP routing on a LAN sub-interface is only allowed if
00:26:36 - that sub-interface is already part of the an IEEE 802.10,
00:26:39 - IEEE 802.1q or ISL VLAN. Meaning
00:26:44 - I need to tell this router that this sub-interface will respond
00:26:49 - to packets coming for a specific VLAN. The way I do that is I
00:26:54 - type in encapsulation,
00:26:58 - I have to spell it right, encapsulation.1q and then tell it what VLAN it
00:27:02 - responds for, VLAN 20. Now,
00:27:07 - oh, it just gives you a little warning. By the way, if your
00:27:10 - interface doesn't support baby giant frames, maximum MTU, you know,
00:27:14 - and so on, I'll talk about what that message means
00:27:17 - in just a moment. Let me finish this configuration. I've got encapsulation.1q 20
00:27:20 - saying, this sub-interface responds for
00:27:24 - VLAN 20. I will hit the up arrow twice and now assign that IP address
00:27:28 - without any problem.
00:27:30 - Drop back out, type in interface Fast Ethernet 0/0.10.
00:27:35 - Let's create the sub-interface that's going to respond for
00:27:38 - VLAN 10. Hit the up arrow a couple times, get back my command
00:27:41 - for encapsulation.1q 20. Now, let's say, this one is
00:27:45 - 10. Now, just a side note, I don't need to make this sub-interface
00:27:50 - number match the actual VLAN it works for. It's really good
00:27:54 - practice. It avoids a lot of confusion, but this is the command that
00:27:57 - actually tells the router that Fast Ethernet 0/0.10
00:28:01 - responds for packets to VLAN 10. I could make that sub-interface,
00:28:05 - you saw the range, 4 billion 200 million if I wanted to.
00:28:08 - But this is what ties it to VLAN 10. Now, I'll hit the up arrow,
00:28:15 - shoot back over here, do 10.1. So now, if I hit Control-Z
00:28:22 - and do a show IP interface brief, I have a router here that now
00:28:27 - has interfaces for VLAN 1, that's Fast Ethernet 0/0,
00:28:31 - VLAN 10 and VLAN 2 with a respective IP address
00:28:36 - from that VLAN. Now, all I have to do is assign, and I lost
00:28:41 - my dotted lines there when I changed network diagrams. I
00:28:45 - I need to assign this PC from VLAN 10, an IP address from
00:28:49 - that VLAN which is 10.50, I typed it out there, and to put
00:28:53 - its default gateway to point, chooo, right there to
00:28:58 - 192.168.10.1. This PC over here in VLAN 20
00:29:02 - will be assigned an IP address from that VLAN and point
00:29:07 - to this, choooo,
00:29:10 - as its default gateway, 20.1. So when these ping each
00:29:14 - other, now you can see why it got the name router-on-a-stick, this
00:29:18 - message will cross a trunk link through the trunk link, down
00:29:22 - through the switch, over to the router, into the interface responding
00:29:26 - for VLAN 20, 20.1. It will do some loop around
00:29:29 - in that router, come back out on VLAN 10. It's tagged as being
00:29:33 - part of VLAN 10, pass these trunks, whoops, make a U-turn
00:29:36 - because it missed the, the exit point, and come down and ping
00:29:39 - this device in VLAN 10. Now, with all this in place, I want to
00:29:44 - make sure I answer the big why. Why on earth are we going
00:29:49 - through all of this hassle to create these VLANs and segment
00:29:52 - these computers and all that? Well, think back to our original
00:29:55 - point of why we have VLANs in the first place. Number one is
00:29:59 - to reduce the size of our networks. The more PCs you have on a network,
00:30:04 - if everything stays on VLAN 1, the broadcast amount keeps
00:30:07 - getting greater and greater and greater. So these PCs will
00:30:10 - start flooding the network with broadcasts. So by breaking
00:30:13 - them into VLAN 10 and VLAN 20, all the broadcasts for
00:30:17 - VLAN 10 stay on VLAN 10 and VLAN 20 stays on
00:30:20 - VLAN 20.
00:30:22 - The second reason why is as soon as I have them going through
00:30:25 - a router, and we haven't talked about how to do this yet, but we
00:30:28 - can do it and we'll do it later in the series, is we can set up a
00:30:32 - access list that prevents VLAN 10 computers from reaching
00:30:37 - VLAN 20. I can set an access boundary to say that maybe
00:30:42 - only these computers could cross that boundary or, or this computer
00:30:45 - during this certain time of day can access that but, you know,
00:30:48 - other times of the day can't. There's a lot you can do with access
00:30:51 - control and access list. And as soon as you put things in separate
00:30:54 - VLANs and route between them, that becomes an option. Without
00:30:58 - it, you have no hope for security between those two devices
00:31:01 - on the same VLAN. So at that point,
00:31:04 - we now have the sub-interfaces configured on the router. Let
00:31:08 - me go back. I mentioned I was going to talk about this. To the
00:31:11 - message that it, it brought up, it says, if the interface doesn't support
00:31:14 - baby giant frames, maximum MTU of the interface has to be
00:31:18 - reduced by 4 bytes on both sides of the connection to properly
00:31:21 - transmit or receive large packets. Please refer to documentation
00:31:25 - and so on. What that means is normally on a
00:31:30 - ethernet network, the biggest packet you can send is 1500
00:31:35 - bytes. That is the largest packet size that you can. But when
00:31:39 - you slip a shim, remember the tag, you put a little shim,
00:31:44 - a 4-byte shim on a trunk link to identify what VLAN it belongs to,
00:31:50 - you've actually increased the packet size to 1504 bytes.
00:31:53 - That's what people consider a, it's kind of
00:31:58 - a funny name, a baby giant. It's, it's not, it's not way big, it is just kind of
00:32:03 - big. It's bigger than what you normally send. So it's saying the router
00:32:06 - and the switch has to be able to support that, and in this case
00:32:09 - they do. Since they're both CISCO, as soon as you set this up, they automatically
00:32:12 - adjust the maximum transmission unit down to 1496 bytes.
00:32:17 - So if you add the tag back in, it, it goes to that maximum
00:32:21 - ethernet it can handle which is 1500 bytes. So that's what
00:32:24 - that message is all about.
00:32:26 - Now, I need to go to the other side in order to make this work
00:32:29 - and configure switch number 1 with a trunk link going over
00:32:34 - to that router.
00:32:36 - So let me bring up my console connection to that switch, switch 3.
00:32:40 - I got it right here. And I'm going to type in, let's do a show CDP neighbors,
00:32:45 - and we can see that router 2 is attached to Fast Ethernet 0/4,
00:32:49 - and I can see that, that connection is there.
00:32:53 - What I'm going to do is go under that interface, interface Fast Ethernet 0/4
00:32:56 - and do a switch port mode trunk, which
00:33:02 - converts it over from an access port over to a trunk, thus matching
00:33:05 - my little red T that I have on the line there. That is now
00:33:08 - trunking so that all the VLAN traffic will go to that router.
00:33:11 - Now, what I have left to do is to attempt to ping from this
00:33:17 - PC. Let's, let's ping and see if we can reach that sub-interface
00:33:20 - on the router 2. Then I'd like to start pinging into other
00:33:25 - VLANs because since router 2 is a router, it will be able to
00:33:28 - route us in Fast Ethernet 0/20 and then it can come
00:33:32 - right back out, you know, Fast Ethernet 0/0 into VLAN 1,
00:33:36 - or it could come out Fast Ethernet 0/10 and reach
00:33:39 - VLAN 10 devices over here. So let's, let's try that. I'm going to bring
00:33:44 - up my connection. This is the PC. I'll do that ipconfig.
00:33:48 - This is the 20.20 PC that is in VLAN 20. Let's
00:33:52 - see if we can ping our default gateway, 192.168.20.1.
00:33:55 - By the way, if you're curious, I removed that
00:33:58 - layer 3 switch configuration during one of the, the breaks
00:34:02 - in my recording, and you can see that I can ping 192.168.20.1,
00:34:05 - which is my default gateway, which is
00:34:09 - the router-on-a-stick.
00:34:11 - Now, I'm going to try and ping 192.168.10.1 which is
00:34:15 - the IP address of the
00:34:19 - other sub-interface through the router, not just to the router.
00:34:23 - So I'm going to do 10.1, hit enter, and sure enough we're getting there.
00:34:26 - Let's do this, let's ping 192.168.1.1,
00:34:30 - which is a IP address over on VLAN 1, but it's
00:34:39 - not going to work.
00:34:42 - I think of these things too late. The reason why it's not going to work,
00:34:45 - here again this is the same exact thing that happened with
00:34:48 - the layer 3 switching. Let's do a packet trace here. When
00:34:51 - I ping 192.168.1.1,
00:34:54 - it comes to its default gateway and says, oh, 20.1, you are received.
00:34:58 - Let me send you out onto VLAN 1. So it goes out, you know, comes
00:35:02 - out of here, on to VLAN 1, comes up, it's actually reaching
00:35:06 - 1.1 which is this router up here, and when the router
00:35:09 - gets it, it's going, who's 192.168.1.20? Meaning
00:35:13 - I don't have a route for 192.168.1.20.
00:35:17 - Let me, let me actually take you over to router 1.
00:35:22 - I'm just going to step this up a big level right here. I'm going to go to
00:35:26 - router 1, oh!
00:35:30 - I have an old, old access server where I actually have to clear lines multiple times,
00:35:34 - and sometimes it just does that and gives me a bunch of errors. Alright, there we go.
00:35:39 - So we've got router 1. I'm going to do a show IP route on
00:35:43 - router 1.
00:35:45 - Now, you can see that it knows about 192.168.1.0,
00:35:48 - .2.0, and.3.0 because
00:35:52 - it's learned about this via RIP. It's learned about this because it's a
00:35:55 - connected interface. So what I would like to do is I would like to
00:36:00 - add a static route on router 1 that tells it about the
00:36:05 - 192.168.20 subnet, the one that we just
00:36:10 - created over here in VLAN 20. And I'm going to say to reach that
00:36:13 - that subnet, use the next hop IP address of 1.2, which it can
00:36:16 - get to, which is the router-on-a-stick which is able to route
00:36:19 - to VLAN 20. So here's how that's going to look. Go on to router 1,
00:36:23 - do IP route 192.168.20.0.
00:36:27 - That's the subnet we're trying to reach, the new VLAN.
00:36:30 - 255.255.255.0 and our next hop IP address
00:36:34 - will be 192.168.1.2 which is the
00:36:37 - IP address right here of router 2.
00:36:41 - Enter. So at this point, I should at least be able to ping 192.168.20.1,
00:36:44 - which is the default gateway
00:36:47 - on router 2, to reach VLAN 20. And sure enough I am.
00:36:51 - So now let's jump back here. You can see the, the ping was just
00:36:55 - failing for 1.1.
00:36:57 - Hit the up arrow, try it one more time, and now we are successful.
00:37:01 - The reason I wanted to do that, and I wanted to make sure that
00:37:04 - ping is working, is because I want to do a trace route,
00:37:09 - trace route to 192.168.1.1.
00:37:12 - Watch what's going to happen here. Oh, stupid Windows Vista.
00:37:19 - It turns on
00:37:24 - name resolution for trace route. Where is it? Right there, -d.
00:37:29 - Do not resolve addresses to names. So I'm going to do a trace route,
00:37:37 - trace route -d 192.168.1.1.
00:37:41 - Otherwise, it just takes forever because it's saying, what name,
00:37:43 - you know, belongs to 192.168.1.1?
00:37:46 - So I do that and right there, look at that. It shows
00:37:49 - where you, where you're going to. First hop, 192.168.20.1.
00:37:53 - That's our router-on-a-stick. Second hop
00:37:56 - is there. So that proves that we're going through our
00:38:00 - router-on-a stick to get there rather than just being able to get
00:38:03 - directly there, and I, I think you saw it just based on the pings and
00:38:06 - tests I was doing that you're not able to, to ping from a
00:38:09 - VLAN without router capabilities. So that is, that is a router-on-a-stick.
00:38:13 - And what I'm planning on doing is putting up this VLAN
00:38:16 - screen and keeping these machines permanently in VLAN 10
00:38:20 - and VLAN 20. Now this machine I'm not really going to
00:38:24 - test in this one, because like I said it's the one that I'm recording on.
00:38:26 - If I change its IP address, things will start blowing up.
00:38:29 - But that, that will, I'll, I'll reconfigure before the next video, and
00:38:33 - it will be our second host that is able to ping between the
00:38:37 - two VLANs and between the rest of the network.
00:38:41 - Forgive me, I know we went a little longer in that video, but
00:38:43 - it was good stuff. It really puts all the VLAN concepts
00:38:47 - together in, into what VLANs are designed to do.
00:38:51 - So to wrap this series, this mini series on VLANs and
00:38:55 - and VTP up, we walked through and enhanced our network. We
00:38:58 - added a few switches. We configured trunking. We set up VTP
00:39:02 - to replicate the VLANs, and then we configured the VLANs
00:39:05 - themselves, VLAN 10, 20 and 30 to replicate between
00:39:08 - the switches. In this video, we assigned those switchboards to
00:39:12 - their respective VLANs, 10 and 20 in this case, and then
00:39:15 - configured routing on the VLANS using a router-on-a-stick.
00:39:19 - Now, as I'm going through the series, each concept is building
00:39:22 - upon the last, so we're gonna keep the VLANs there throughout the rest
00:39:25 - of the series. It will help us get comfortable with them and also give us
00:39:29 - more that we're able to do with our network topology. I hope
00:39:33 - this has been informative for you, and I'd like to thank you for viewing.

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.

Bookmarks

Pick up where you left off watching a video.

Notes

Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Certifications:
Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.


Stay Connected

Get the latest updates on the subjects you choose.


  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS